BlogDell PowerEdge ServersDell TechServer InfrastructureData Center
Blog • • 3 minute read

Securing Dell iDRAC with MFA

The lights-out management interface serves as a foundation for remote access across all IT hardware. It is the last line of defense if a system is compromised from a cyber security attack. This is why several layers of defense is a good strategy. Here's a look at the multi-factor authentication (MFA) options available to secure the Dell iDRAC.

The Dell iDRAC performs many functions to manage a Dell PowerEdge server. These range from day-to-day alerting, all the way to securing sensitive data. The features of the iDRAC allow an administrator to remotely perform at-the-box operations, including full keyboard and mouse control, the mounting of USB and external media, the power state of the server, and accessing the data contained on the system.

All of this access makes it critical that only authorized administrators can use the iDRAC. Going a step further, it is not enough to rely on an administrator to keep their credentials secure, and the use of multi-factor authentication (MFA) to access the iDRAC may mean the difference between losing control of the server or not during a cyber security attack.

It is a common security practice to secure the local built-in accounts and use a directory service to authenticate users for daily administration. For directory services, the iDRAC can use Microsoft Active Directory and LDAP. The following MFA options are available in iDRAC, using local or directory accounts:

Local iDRAC accounts:

  • Email-based
  • RSA SecureID
  • SSH Key
  • SmartCard

Directory accounts:

  • RSA SecureID
  • SmartCard
  • Password + one-time password (OTP)

The ability to use password + OTP is new in iDRAC 7.00.60.00, and we have tested it in our ATC using FreeIPA.

Given these options, you can figure out a multilayer security policy that works for your organization. For the local iDRAC built-in accounts, specifically the "root" account, an email address can be easily configured for the multi factor authentication. This email can go to a distribution list of your trusted systems administrators. Configuring iDRAC in this way also serves as a way to get notified whenever the "root" account is being used.

For everyday administration it makes sense to use directory services for authenticating access. As most organizations use on-premises Microsoft Active Directory (AD) this can be a good choice. Groups within AD can also be used and mapped to role-based access groups within the iDRAC. Active Directory has several options for doing password + OTP MFA and many organizations may already have this set up, making integrating it into iDRAC authentication very simple.

This should give you an idea of the options available and suggestions on getting started to deploy MFA in your environment. If you have any additional questions around MFA and iDRAC or to see it in the ATC, please contact your WWT account team.

Technologies